The Rise of Privacy by Design as an Imperative

Data privacy is among the top policy trends of this decade. All over the world, security regulators are coming down heavily on organizations that do not adhere to data privacy requirements. The EU alone, with its General Data Protection Regulation (EU GDPR) has collectively imposed fines of €380 million ($417 million) under GDPR in about 12 months starting May 2018. Regulations in other parts of the world such as the California Consumer Privacy Act (CCPA) are also becoming stringent.

Data Privacy has existed for more than a decade. Privacy policies try to give the data owner (the consumer) the right to know what type of personally identifiable information (PII) is being collected and how it will be used. In addition, privacy regulations are increasingly insisting on allowing the data owner to opt out of having their data used and provide the option of legal action when regulations are breached. 

These regulations make common sense. And should therefore be an intrinsic part of system and application design. Essentially the data protection principles should be built “by design and by default”. In simpler words, it means to “knit the fabric with security in each stitch”.

Data Privacy has shot into the limelight recently because the countries and regions adding regulations is growing swiftly. From Argentina to Australia, India, Japan, and Taiwan, over 50 nations already have data privacy laws. And the number of lawsuits based on privacy violations and breaches of individual’s rights is growing.

In response to the concerns around data privacy, the practice and framework of Privacy by Design is gaining traction. The term, as is perhaps already evident, means that security should be built into a product by design instead of being added in later by third party products and services.

When does it apply and to who?

Privacy by Design applies to individuals and organizations engaged in developing or maintaining business processes and IT systems:

  • IT Systems: Data protection by design must be well thought through and integrated into projects from the start of a plan. There are ways to ensure this becomes simple: from a SDLC  viewpoint:

Requirements Gathering

  • Identify privacy and security expectations, PII data elements 
  • Consider security aspects for application/systems upgrades/revamp   
  • Identify infrastructure security requirements
  • Identify security threats and vulnerabilities 
  • Review security threats and vulnerabilities from stand point of individuals/data subjects
  • Consider data security aspects for the 3 states of digital data – “data at rest”, “data in transit” and “data in use”


  • Consider “Security by Design” as a concept and apply the principles
  • Consider a layered approach to design and use best practices for ensuring application security e.g. OWASP Top 10 application security risks, VAPT, WAPT
  • Demonstrate how privacy and security is built in the architecture/blueprint 
  • Consider using masking, hashing, encryption, network security, backup, end point security etc. for securing data and infrastructure


    • Analyse and implement the fixes required to eliminate “false positives”
    • Trace the development to requirements to ensure all security requirements are addressed


    • Consider Vulnerability testing including Infrastructure and Application tests, VAPT, WAPT
    • Identify clear responsibilities with customers on test scope, provision of data and test environments
    • Ensure security requirements are rolled to in production 
  • Organizations: The performance of business activities requires the identification of data owners in an organization – data being sourced primarily from employees, customers and service providers. Each activity like data collection, deletion and processing requires assignment of role and data owners must be identified in an activity within business process. Consider Privacy by Design philosophy in business processes within functional groups by –   
  • Ensuring privacy in workflows of business processes and touch points of data exchange between processes
  • Design the business activities to protect personal data
  • Define role-based accesses

It has become critical to build a privacy culture in organizations as data privacy regulators across the world become more active. Going forward, managing data privacy should be a consideration even before developers get down to writing code.

Leave a Reply

Your email address will not be published.

Beware of fraudulent and fake job offers

It has come to our attention that certain employment agencies and individuals are asking people for money in exchange for a job at ITC Infotech.

Such Agencies/individuals could impersonate ITC Infotech's officers, use the company name/logo, brand names and images illegally, without authorization, and/or try to extract money towards security deposit, documentation processing fees, training fees, and so on.

Please note that ITC Infotech never asks job applicants or members of the public to pay money in any form while recruiting.

Feel free to reach out to us at to report any such incidents that you may have experienced, please use the subject line “Recruitment Fraud Alert” in your message.

Always exercise caution and stay protected against fraud:

  • Do not pay money or transfer funds to anyone toward securing an ITC Infotech job. ITC Infotech will not accept liability for any losses that may have been suffered by the victims of such fraudulent activities.
  • Be careful when sharing your personal information and protect yourself from potential damage. Do not engage with people who fraudulently misrepresent ITC Infotech or its employees/officers and try to solicit payments under the pretext of offering jobs.
View Current Openings
Choose Language »
Don`t copy text!